Re: Investigating multi-factor authentication for the SA4500

Well -pretty much any multi-factor authentication tool that is radius based will work just fine. I am sure you will get lots of replies but I have done implementations that involved sucessful integrations of the following into the SA box:

Re: Investigating multi-factor authentication for the SA4500

we are trying that aswell right now. i successfully added active directory and RSA/ACE authentication servers but i have some problems by connecting to the radius. but thats more a radius problem of my windows IAS (internetauthenticationserver), which isnt able to bring port 1812 for radius up. has anyone experience with that?

Re: Investigating multi-factor authentication for the SA4500

We deployed 2 factor auth to our VPN environment by using AD username/password as the primary and User Certificates as the secondary. All mapping is done by username, but the Realm does confirm that the certificate is legitimate (can check certain parts of the cert) before allowing them in. This may not be an option for you, but we ended up developing a free solution to the certificates. A developer of ours used openSSL for Windows and built a .NET website around it to allow users to request / generate their own certificates. I don't know the specifics as to how he got it to work but I didn't get the impression it was especially difficult. The IVE is configured to trust client certs from (and only from) the CA that openSSL is using and the website allows users to self-generate certs to use for it.

There are other solutions that work just as well but they will all cost.

We got them for virtually nothing. Here in Canada, the Fed Govt (PWGSC) has a govt wide contract for all Entrust products. So we got the Entrust IdentityGuard software for free, user CALs for free, updates and support for free...so all we've had to buy is the tokens @ 5$ each.

Only thing I prefer about the RSA type tokens is no button. On the Entrust tokens there is a button to generate the code, and even with a decently sized drift window, we still have users who press the button soooo many times the tokens become out of sync. RSA type tokens have no buttons....